logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Signal.md (11941B)

    

  1. ---
  2. date: 2018-08-08
  3. layout: post
  4. title: I don't trust Signal
  5. tags: [privacy]
  6. ---
  8. Occasionally when Signal is in the press and getting a lot of favorable
  9. discussion, I feel the need to step into various forums, IRC channels, and so
  10. on, and explain why I don't trust Signal. Let's do a blog post instead.
  12. Off the bat, let me explain that I expect a tool which claims to be secure to
  13. actually be secure. I don't view "but that makes it harder for the average
  14. person" as an acceptable excuse. If Edward Snowden and Bruce Schneier are going
  15. to spout the virtues of the app, I expect it to *actually* be secure when it
  16. matters - when vulnerable people using it to encrypt sensitive communications
  17. are targeted by smart and powerful adversaries.
  19. Making promises about security without explaining the tradeoffs you made in
  20. order to appeal to the average user is unethical. Tradeoffs are necessary - but
  21. self-serving tradeoffs are not, and it's your responsibility to clearly explain
  22. the drawbacks and advantages of the tradeoffs you make. If you make broad and
  23. inaccurate statements about your communications product being "secure", then
  24. when the political prisoners who believed you are being tortured and hanged,
  25. it's on you. The stakes are serious. Let me explain why I don't think Signal
  26. takes them seriously.
  28. ## Google Play
  30. Why do I make a big deal out of Google Play and Google Play Services? Well, some
  31. people might trust Google, the company. But up against nation states, it's no
  32. contest - Google has ties to the NSA, has been served secret subpoenas, and is
  33. literally the world's largest machine designed for harvesting and analyzing
  34. private information about their users. Here's what Google Play Services
  35. *actually* is: **a rootkit**. Google Play Services lets Google do silent
  36. background updates on apps on your phone and give them any permission they want.
  37. Having Google Play Services on your phone means your phone is not secure.[^1]
  39. [^1]: "But how is AOSP any better?" This is a common strawman counter-argument. Fact: There is empirical evidence which shows that Google Play Services does silent updates and can obtain any permission on your phone: a rootkit. There is no empirical evidence to suggest AOSP has similar functionality.
  41. For the longest time, Signal wouldn't work without Google Play Services, but
  42. Moxie (the founder of Open Whisper Systems and maintainer of Signal) finally
  43. fixed this in 2017. There was also a long time when Signal was only available on
  44. the Google Play Store. Today, you can [download the APK directly from
  45. signal.org](https://signal.org/android/apk/), but... well, we'll
  46. get to that in a minute.
  48. ## F-Droid
  50. There's an alternative to the Play Store for Android.
  51. [F-Droid](https://f-droid.org) is an open source app "store" (repository would
  52. be a better term here) which only includes open source apps (which Signal
  53. thankfully is).  By no means does Signal have to *only* be distributed through
  54. F-Droid - it's certainly a compelling alternative. This has been proposed, and
  55. Moxie has [definitively shut the discussion
  56. down](https://github.com/signalapp/Signal-Android/issues/127). Admittedly this
  57. is from 2013, but his points and the arguments against them haven't changed. Let
  58. me quote some of his positions and my rebuttals:
  60. >No upgrade channel. Timely and automatic updates are perhaps the most
  61. >effective security feature we could ask for, and not having them would be a
  62. >real blow for the project.
  64. F-Droid supports updates. If you're concerned about moving your updates quickly
  65. through the (minimal) bureaucracy of F-Droid, you can always run your own
  66. repository. Maybe this is a lot of work?[^2] I wonder how the workload compares
  67. to [animated gif search][gif-shit], a very important feature for security
  68. concious users. I bet that [50 million dollar donation][big-bucks] could help,
  69. given how many people operate F-Droid repositories on a budget of $0.
  71. [^2]: No, it's not.
  73. [gif-shit]: https://signal.org/blog/signal-and-giphy-update/
  74. [big-bucks]: https://signal.org/blog/signal-foundation/
  76. >No app scanning. The nice thing about market is the server-side APK scanning
  77. >and signature validation they do. If you start distributing APKs around the
  78. >internet, it's a reversion back to the PC security model and all of the
  79. >malware problems that came with it.
  81. Try searching the Google Play Store for "flashlight" and look at the permissions
  82. of the top 5 apps that come up. All of them are harvesting and selling the
  83. personal information of their users to advertisers. Is this some kind of joke?
  84. F-Droid is a curated repository, like Linux distributions. Google Play is a
  85. malware distributor.  Packages on F-Droid are reviewed by a human being and are
  86. [cryptographically signed](https://f-droid.org/en/docs/Signing_Process/). If you
  87. run your own F-Droid repo this is even less of a concern.
  89. I'm not going to address all of Moxie's points here, because there's a deeper
  90. problem to consider. I'll get into more detail shortly. You can read the
  91. 6-year-old threads tearing Moxie's arguments apart over and over again until
  92. GitHub added the feature to lock threads, if you want to see a more in-depth
  93. rebuttal.
  95. ## The APK direct download
  97. Last year Moxie added an official APK download to signal.org. He said this was
  98. up for "[harm reduction][harm-reduction]", to avoid people using unofficial
  99. builds they find around the net. The download page is covered in warnings
  100. telling you that it's for advanced users only, it's insecure, would you please
  101. go to the Google Play store you stupid user. I wonder, has Moxie considered
  102. communicating to people the risks of using the Google Play version?[^3]
  104. [^3]: Probably not, because that wouldn't be self-serving. But I'm getting ahead of myself.
  106. [harm-reduction]: https://github.com/signalapp/Signal-Android/issues/127#issuecomment-286223680
  108. The APK direct download doesn't even accomplish the stated goal of "harm
  109. reduction". The user has to manually verify the checksum, and figure out how to
  110. do it on a phone, no less. A checksum isn't a signature, by the way - if your
  111. government- or workplace- or abusive-spouse-installed certificate authority gets
  112. in the way they can replace the APK *and* its checksum with whatever they want.
  113. The app has to update itself, using a similarly insecure mechanism. F-Droid
  114. handles updates and actually signs their packages. This is a no brainer, Moxie,
  115. why haven't you put Signal on F-Droid yet?
  117. ## Why is Signal like this?
  119. So if you don't like all of this, if you don't like how Moxie approaches these
  120. issues, if you want to use something else, what do you do?
  122. Moxie knows about everything I've said in this article. He's a very smart guy
  123. and I am under no illusions that he doesn't understand everything I've put
  124. forth. I don't think that Moxie makes these choices because he thinks they're
  125. the right thing to do. He makes arguments which don't hold up, derails threads,
  126. leans on logical fallacies, and loops back around to long-debunked positions
  127. when he runs out of ideas. I think this is deliberate. An open source software
  128. team reads this article as a list of things they can improve on and gets
  129. started. Moxie reads this and prepares for war. Moxie can't come out and
  130. say it openly, but he's made the decisions he has made because they serve his
  131. own interests.
  133. Lots of organizations which are pretending they don't make self-serving decisions at
  134. their customer's expense rely on argumentative strategies like Moxie does. If
  135. you can put together an argument which on the surface appears reasonable, but
  136. requires in-depth discussion to debunk, passerby will be reassured that your
  137. position is correct, and that the dissenters are just trolls. They won't have
  138. time to read the lengthy discussion which demonstrates that your conclusions
  139. are wrong, especially if you draw the discussion out like Moxie does. It can be
  140. hard to distinguish these from genuine positions held by the person you're
  141. talking to, but when it conveniently allows them to make self-serving plays,
  142. it's a big red flag.
  144. This is a strong accusation, I know. The thing which convinced me of its truth
  145. is Signal's centralized design and hostile attitude towards forks. In open
  146. source, when a project is making decisions and running things in a way you don't
  147. like, you can always fork the project. This is one of the fundamental rights
  148. granted to you by open source. It has a side effect Moxie doesn't want, however.
  149. It reduces his power over the project. Moxie has a clever solution to this:
  150. centralized servers and trademarks.
  152. ## Trust, federation, and peer-to-peer chat
  154. Truly secure systems do not require you to trust the service provider. This is
  155. the point of end-to-end encryption. But we have to trust that Moxie is running
  156. the server software he says he is. We have to trust that he isn't writing down a
  157. list of people we've talked to, when, and how often. We have to trust not only
  158. that Moxie is trustworthy, but given that Open Whisper Systems is based in San
  159. Francisco we have to trust that he hasn't received a national security letter,
  160. too (by the way, Signal doesn't have a warrant canary). Moxie can *tell* us he
  161. doesn't store these things, but he could. **Truly secure systems don't require
  162. trust**.
  164. There are a couple of ways to solve this problem, which can be used in tandem.
  165. We can stop Signal from knowing when we're talking to each other by using
  166. peer-to-peer chats. This has some significant drawbacks, namely that both users
  167. have to be online at the same time for their messages to be delivered to each
  168. other. You can still fall back to peer-to-server-to-peer when one peer is
  169. offline, however. But this isn't the most important of the two solutions.
  171. The most important change is federation. Federated services are like email, in
  172. that Alice can send an email from gmail.com to Bob's yahoo.com address. I should
  173. be able to stand up a Signal server, on my own hardware where I am in control of
  174. the logs, and communicate freely with other Signal servers, including Open
  175. Whisper's servers. This distributes the security risks across hundreds of
  176. operators in many countries with various data extradition laws. This turns what
  177. would today be easy for the United States government to break and makes it much,
  178. much more difficult. Federation would also open the possibility for bridging the
  179. gap with several other open source secure chat platforms to all talk on the same
  180. federated network - which would spur competition and be a great move for users
  181. of all chat platforms.
  183. Moxie forbids you from distributing branded builds of the Signal app, and if you
  184. rebrand he forbids you from using the official Open Whisper servers. Because his
  185. servers don't federate, that means that users of Signal forks *cannot talk to
  186. Signal users*. This is a truly genius move. No fork of Signal[^4] to date has
  187. ever gained any traction, and never will, because you can't talk to any Signal
  188. users with them. In fact, there are no third-party applications which can
  189. interact with Signal users in any way. Moxie can write as many blog posts which
  190. appeal to wispy ideals and "moving ecosystems" as he wants[^5], but those are
  191. all *really* convenient excuses for an argument which allows him to design
  192. systems which serve his own interests.
  194. [^4]: See [LibreSignal](https://github.com/LibreSignal/LibreSignal) and [Silence](https://github.com/SilenceIM/Silence#silence-), particularly [this thread](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165).
  195. [^5]: See [Reflections: The ecosystem is moving](https://signal.org/blog/the-ecosystem-is-moving/). Yes, that's the unedited title.
  197. No doubt these are non-trivial problems to solve. But I have *personally* been
  198. involved in open source projects which have collectively solved similarly
  199. difficult problems a thousand times over with a combined budget on the order of
  200. tens of thousands of dollars.
  202. What were you going to do with that 50 million dollars again?